Investment Advisor Digital Employee

Security checks across malware telemetry and agentic risk

Overview

The skill appears finance-related, but its declared no-tool/no-data posture conflicts with reported instructions to use external lookups and generate files.

Install only if you are comfortable with the skill performing external financial lookups and creating local report files despite metadata that appears to say otherwise. Do not provide account credentials, portfolio holdings, personal identifiers, or confidential business data unless the publisher corrects the permission and data-flow disclosures.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill explicitly claims there is no executable code, no network calls, and no credential or data handling, but later instructs active use of external data tools and generation of output files. This mismatch can cause the platform or reviewer to trust a skill under false assumptions, leading to unintended data processing and outbound access when user inputs such as stock or fund identifiers are provided.

Scope Creep

Critical

Confidence: 99% confidence
Finding: The manifest declares `allowed-tools: []` and claims a no-executable, advisory-only skill, yet the body repeatedly instructs execution of external tool/API calls and even Python-based Excel generation. This creates a policy bypass condition where deployment metadata says the skill is inert while the content attempts to drive privileged actions beyond declared permissions.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation assures users that no business data or PII will be accessed or processed, but subsequent modules direct the system to send user-supplied securities and fund queries to external services for analysis. Even if inputs are not highly sensitive, this is still a deceptive data-handling representation that can undermine consent, privacy expectations, and auditability.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill expands into `web_search` and `web_fetch` style capabilities despite a manifest that presents the skill as no-tool and educational-only. This broadens the attack surface by enabling retrieval of untrusted external content and behavior that reviewers or runtime policy may not expect from the declared scope.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal